b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                        Better Cost-Benefit Analysis and\n                      Security Measures Are Needed for the\n                          Bring Your Own Device Pilot\n\n\n\n                                      September 24, 2013\n\n                              Reference Number: 2013-20-108\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 2 = Risk Circumvention of Agency Regulation or Statute\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nBETTER COST-BENEFIT ANALYSIS AND                      of BYOD to the cost of the IRS\xe2\x80\x99s existing\nSECURITY MEASURES ARE NEEDED                          mobility programs prior to starting the BYOD\nFOR THE BRING YOUR OWN DEVICE                         pilot, it was not updated with complete\nPILOT                                                 information on assumptions and costs. BYOD\n                                                      could provide significant benefits; however,\n\nHighlights                                            these benefits are just conjecture until the IRS\n                                                      conducts a thorough cost-benefit analysis.\n\nFinal Report issued on September 24,                  Additionally, increased attention is still needed to\n2013                                                  address security concerns related to the\n                                                      460 users participating in the BYOD pilot. The\nHighlights of Reference Number: 2013-20-108           IRS allows BYOD devices access to resources\nto the Internal Revenue Service Chief                 on the IRS network in addition to providing\nTechnology Officer.                                   e-mail access, increasing the risk that privacy\n                                                      and taxpayer data could be compromised. The\nIMPACT ON TAXPAYERS                                   IRS also allows devices based on the Android\xe2\x84\xa2\n                                                      operating system to participate in the BYOD\nBring Your Own Device (BYOD) is a popular             pilot, even though these devices are more\ntrend in mobile computing that allows users to        subject to malware than the Apple\xc2\xae devices\naccess network resources on their personal            tested in earlier phases. Audit trails and training\nmobile devices, such as smartphones. While            also need to be improved.\nBYOD has the potential to provide organizations\nwith cost savings, increased productivity, and        WHAT TIGTA RECOMMENDED\nimproved employee satisfaction, mobile devices\noften need additional protection due to threats of    TIGTA recommended that the Chief Technology\ntheft and malware exposure. The IRS must              Officer ensure that a cost-benefit analysis for\nensure that implementing a BYOD program               BYOD is completed that complies with Federal\nwould be cost effective and that any increased        guidance, ensure that BYOD users are allowed\nrisks to the privacy and integrity of taxpayer data   access to e-mail functions only, takes some\ncan be mitigated.                                     additional steps before admitting Android\n                                                      devices into the BYOD pilot, retains and reviews\nWHY TIGTA DID THE AUDIT                               audit trails in compliance with existing policies,\n                                                      and provides periodic training for BYOD\nThis audit was initiated as part of TIGTA\xe2\x80\x99s Fiscal    participants on threats and recommended\nYear 2013 Annual Audit Plan and addresses the         security practices specific to BYOD.\nmajor management challenge of Security for\nTaxpayer Data and Employees. The overall              In its response to the report, the IRS agreed with\nobjective of this review was to evaluate the          four of five recommendations and proposed\nIRS\xe2\x80\x99s costs, administration, and security for its     some corrective actions that it plans to take only\nBYOD efforts.                                         if the BYOD pilot is expanded or funding is\n                                                      identified. The IRS disagreed with the\nWHAT TIGTA FOUND                                      recommendation to defer admitting Android\nThe IRS has taken several noteworthy actions to       devices into the pilot until a security risk\nimplement its BYOD pilot, including taking a          assessment is completed.\nphased approach and considering security.             TIGTA believes that some of the corrective\nAlthough it has spent more than $900,000 on           actions proposed by the IRS are inadequate\nmobility, the IRS has not developed a complete        because they are contingent on BYOD\ncost-benefit analysis to fully justify the            expansion or additional funding. The relevant\nimplementation of the BYOD concept.                   controls should be put in place for the existing\nFederal-level guidance states that BYOD should        BYOD effort, which does not have a clear end\nbe cost effective and that a cost-benefit analysis    date and which is being used by hundreds of\nis essential. While the IRS did prepare a simple      employees and devices within the production\ncost analysis that compared the estimated cost        environment.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 24, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Better Cost-Benefit Analysis and Security\n                             Measures Are Needed for the Bring Your Own Device Pilot\n                             (Audit # 201320008)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) costs,\n administration, and security for its Bring Your Own Device efforts. This audit was initiated as\n part of the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2013 Annual Audit\n Plan and addresses the major management challenge of Security for Taxpayer Data and\n Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                                Better Cost-Benefit Analysis and Security Measures\n                                 Are Needed for the Bring Your Own Device Pilot\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Actions Have Been Taken to Test and Implement\n          Bring Your Own Device on a Limited Scale ................................................ Page 4\n          The Costs and Benefits of Bring Your Own Device\n          Should Be Fully Evaluated ........................................................................... Page 6\n                    Recommendation 1:........................................................ Page 7\n\n          Increased Attention to Security Is Needed.................................................... Page 8\n                    Recommendations 2 and 3: .............................................. Page 12\n\n                    Recommendations 4 and 5: .............................................. Page 13\n\n\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 17\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 18\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 19\n\x0c       Better Cost-Benefit Analysis and Security Measures\n        Are Needed for the Bring Your Own Device Pilot\n\n\n\n\n                 Abbreviations\n\nBYOD       Bring Your Own Device\nIRS        Internal Revenue Service\nMDM        Mobile Device Management\nNIST       National Institute of Standards and Technology\n\x0c                            Better Cost-Benefit Analysis and Security Measures\n                             Are Needed for the Bring Your Own Device Pilot\n\n\n\n\n                                             Background\n\nBring Your Own Device (BYOD) is a popular trend in mobile computing. BYOD programs\nallow users to access an employer\xe2\x80\x99s network resources on their personal mobile devices. For\nexample, employees can use their personally owned smartphone, tablet,1 and similar devices to\nstay connected to and access data from their organization\xe2\x80\x99s internal network. Employees tend to\nlike BYOD because it allows them to use their own preferred device, and, if they are required to\nhave a cell phone for work, it can allow them to carry only one device. Businesses and\nGovernment agencies are receptive to it because it has the potential to provide cost savings,\nincrease productivity, and improve employee satisfaction. BYOD can provide cost savings if the\norganization\xe2\x80\x99s cell phone ownership, service, and/or support are reduced or discontinued.\nAdditionally, BYOD participants who did not previously have an assigned smartphone report\nincreased productivity because they can quickly address important e-mails while traveling or\nbetween meetings. Employees who chose to participate in BYOD reported high levels of\nsatisfaction with the experience. However, achieving benefits is contingent on implementation\ndetails and workforce acceptance.\nBYOD devices are subject to distinctive threats on two specific fronts\xe2\x80\x94as mobile devices and as\npersonally owned devices. Mobile devices often need additional protection because their nature\ngenerally places them at higher exposure to threats than\nother client devices, e.g., desktop and laptop devices used\n                                                                  Mobile devices often need\nonly within the organization\xe2\x80\x99s facilities and on the\n                                                                additional protection because\norganization\xe2\x80\x99s networks.   2\n                                                                 their nature generally places\n                                                                them at higher exposure to\nA Government Accountability Office report highlighted\n                                                            threats than other client devices.\nsome threats related to mobile devices.3 Although the\nreport related to threats to mobile devices in general,\nthese concepts also apply in the BYOD situation in which employees use their own personal\nphones or devices to access Government resources. This report, issued in September 2012,\nprovides the following information:\n         Threats to the security of mobile devices and the information they store and\n         process have been increasing significantly. For example, the number of variants\n\n1\n  A smartphone is a cell phone with built-in applications (commonly referred to as \xe2\x80\x9capps\xe2\x80\x9d), access to the Internet,\nand the ability to add more apps. A tablet is a computer contained in a single panel that is operated through a touch\nscreen.\n2\n  National Institute of Standards and Technology, Special Publication 800-124 Revision 1, Guidelines for Managing\nthe Security of Mobile Devices in the Enterprise (June 2013).\n3\n  Government Accountability Office, GAO-12-757, Information Security: Better Implementation of Controls for\nMobile Devices Should Be Encouraged (Sept. 18, 2012).\n                                                                                                             Page 1\n\x0c                           Better Cost-Benefit Analysis and Security Measures\n                            Are Needed for the Bring Your Own Device Pilot\n\n\n\n        of malicious software, known as \xe2\x80\x9cmalware,\xe2\x80\x9d aimed at mobile devices has\n        reportedly risen from about 14,000 to 40,000 or about 185 percent in less than a\n        year [\xe2\x80\xa6]. Cyber criminals may use a variety of attack methods, including\n        intercepting data as they are transmitted to and from mobile devices and inserting\n        malicious code into software applications to gain access to users\xe2\x80\x99 sensitive\n        information. These threats and attacks are facilitated by vulnerabilities in the\n        design and configuration of mobile devices, as well as the ways consumers use\n        them. Common vulnerabilities include a failure to enable password protection\n        and operating systems that are not kept up to date with the latest security patches.\nThe more recent Juniper Networks Third Annual Mobile Threats Report estimated that mobile\nmalware grew 614 percent between March 2012 and March 2013, with 92 percent of it directed\ntoward Android\xe2\x84\xa2 devices. The report cautioned that due to a complex and distributed\nenvironment for mobile devices, rates represent only directional trends.\nAnother notable mobile device threat is the increase in thefts, especially of smartphones. Recent\nreports indicate that as many as 40 percent of robberies involve stolen cell phones, particularly\nsmartphones. An October 2012 Associated Press report stated that this may have reached a level\nof almost 50 percent of robberies in San Francisco, California. In response to the growing theft\nproblem, the Federal Communications Commission partnered with private companies to launch\nan initiative that consists of a series of practical solutions\ndesigned to combat cell phone theft. However, challenges\n                                                                     Financial and personal\nto enforcement remain.                                               information, including\nSome reports suggest that mobile device users are even             tax-related information,\n                                                                  are increasingly targeted\nmore susceptible to falling victim to phishing attacks4 than          by cybercriminals.\nconventional computer users. Cybercriminals increasingly\nseek to obtain sensitive financial and personal information,\nincluding tax-related information, through phishing and other types of cyberattacks. That mobile\ndevice users may be more susceptible to such attacks raises security concerns, particularly when\nthe devices are used to access the enterprise network.\nIn addition to the risks related to mobile devices, BYOD introduces an element of risk related to\npersonal ownership and use. When the Government owns the device, the Government can\ncontrol and update the device as needed, similar to laptops, and can restrict certain uses of the\ndevice, such as downloading suspicious software or visiting inappropriate websites. However,\nthis is not the case for personally owned devices, which rely on individual initiative to implement\noperating system updates or to take security precautions. Because such restrictions do not apply\nto personally owned devices, the chances of downloading malware-infected software may be\n\n\n4\n Phishing attacks trick individuals into disclosing sensitive personal information through deceptive computer-based\nmeans.\n                                                                                                           Page 2\n\x0c                        Better Cost-Benefit Analysis and Security Measures\n                         Are Needed for the Bring Your Own Device Pilot\n\n\n\nincreased through such activities as visiting inappropriate sites, participating in gambling,\ndownloading apps from third-party sites, or even using social media sites.\nEmployers can use a mobile device management (MDM) solution to help mitigate the risks\ninvolved with mobile devices. MDM allows an organization to manage and control any mobile\ndevice on its network. For example, MDM may be used to ensure that only authorized users\naccess the internal network, enforce password usage, ensure communication encryption, or limit\naccess to network applications. MDM and other technologies can mitigate risks associated with\nmobile devices participating in BYOD. MDM is a growing area, with an increasing number of\nvendors offering these types of products. Education on security dangers and how to increase\nsecurity is also helpful in mitigating risks.\nFederal-level guidance related to BYOD is developing along with this new technology. To\nprovide some Federal-level guidance based on successful implementations of BYOD, in\nAugust 2012, the White House issued A Toolkit to Support Federal Agencies Implementing\nBring Your Own Device (BYOD) Programs. In addition, the National Institute of Standards and\nTechnology (NIST) has issued guidance related to mobile devices and is working on more\nguidance related to BYOD; however, as of June 3, 2013, this guidance has not yet been issued.\nThe NIST warns that, like any new technology, smartphones present new capabilities but also a\nnumber of new security challenges. Smartphones and tablet devices have powerful capabilities\nand can be used for sending and receiving e-mail, browsing the Web, online banking and\ncommerce, social networking, storing and modifying documents, remotely accessing data,\nrecording audio and video, and navigating (as navigation aids). These devices are now mobile\ncomputers.\nThis review was performed with information obtained from the Information Technology User\nand Network Services, Strategy and Planning, and Cybersecurity organizations located in\nLanham, Maryland; the Office of Privacy, Governmental Liaison, and Disclosure located in\nWashington, D.C.; and site visits to Information Technology offices in Oakland and\nSan Francisco, California, and the Wage and Investment Division office in Walnut Creek,\nCalifornia, during the period November 2012 through July 2013. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                                Page 3\n\x0c                           Better Cost-Benefit Analysis and Security Measures\n                            Are Needed for the Bring Your Own Device Pilot\n\n\n\n\n                                     Results of Review\n\nThe Internal Revenue Service (IRS) is currently piloting a limited BYOD effort.5 It uses an\nMDM solution to control access to the internal network and to limit risks associated with mobile\ndevices. The MDM solution encrypts organizational data and enforces certain security settings\non the personal device, but it does not control or otherwise interfere with using the personal side\nof the device. BYOD participants have access to e-mail, calendaring, and some web-based\ninternal IRS applications. However, technical limitations prevent users from interfacing with\nmany IRS internal systems.\nThe IRS has taken several noteworthy actions with respect to implementing its BYOD pilot,\nincluding taking a phased approach and considering security. However, the IRS has not\ndeveloped a complete cost-benefit analysis to fully justify the implementation of BYOD within\nthe IRS. Additionally, increased attention is still needed to address security concerns.\n\nActions Have Been Taken to Test and Implement Bring Your Own\nDevice on a Limited Scale\nThe driving force behind BYOD at the IRS has been investigating mobile technology that\nprovides business value to employees and increasing employee productivity and satisfaction. To\nthese ends, the IRS has proceeded toward BYOD in phases, which is in line with guidance in the\nWhite House BYOD Toolkit document that advises an incremental approach toward\nimplementation.\nStarting in September 2010, the IRS began a proof-of-concept effort to validate the technical\nfeasibility of the MDM solution, which would allow the IRS to apply security settings on BYOD\ndevices to mitigate risks. The proof-of-concept effort involved up to 39 Government-purchased\nsmartphones and tablets and only involved testers from the Information Technology\norganization. In a second phase started in April 2011, the IRS purchased an additional\n100 iPhone\xc2\xae devices, expanding the project to include non\xe2\x80\x93Information Technology organization\nusers. This phase was to help determine the business value of this solution on its own merits and\nin relation to the existing BlackBerry\xc2\xae mobile solution. Finally, in June 2012, the IRS started its\nthird phase, a true BYOD program, when it purchased licenses for up to 1,000 devices to connect\nto the IRS network via the MDM solution. Initially, the program was limited to only devices\n\n\n5\n  The IRS currently refers to its BYOD pilot as a \xe2\x80\x9ctechnology demonstrator,\xe2\x80\x9d which is meant to distinguish BYOD\nas a provisional initiative or prototype, thus differentiating it from formal pilots or large-scale information\ntechnology initiatives for which the IRS uses a well-established investment decision and enterprise lifecycle\nmethodology. The word \xe2\x80\x9cpilot\xe2\x80\x9d is used in the report in a general sense for ease of understanding.\n                                                                                                         Page 4\n\x0c                            Better Cost-Benefit Analysis and Security Measures\n                             Are Needed for the Bring Your Own Device Pilot\n\n\n\nwith iOS\xc2\xae operating systems (Apple\xc2\xae iPhone and iPad\xc2\xae devices) due to the enhanced security\nfeatures available in conjunction with the MDM solution. The IRS rolled out the BYOD pilot to\neligible employees6 starting September 2012. In May 2013, the IRS opened the pilot to Android\ndevices. Figure 1 illustrates the IRS\xe2\x80\x99s phased approach.\n                  Figure 1: The IRS\xe2\x80\x99s Phased Approach to the BYOD Pilot\n\n\n\n\n    Source: Information provided by the IRS BYOD Project Team.\n\nThe IRS has made consideration of security an important feature of its mobility efforts with the\nimplementation of the MDM solution for its BYOD program. The MDM solution used by the\nIRS was among those identified by the General Services Administration in May 2013 as a\npotential source of supply for MDM because the company understands Government\nrequirements and provides a compliant encryption solution. Specifically, the MDM solution\nprovides for a secure encrypted container for Government data on the device and secure\ncommunications with the IRS network. It enforces some basic controls over the security settings\non the personal devices, such as requiring a passcode and enforcing a full device wipe after a\ncertain number of unsuccessful passcode attempts. The MDM solution also provides the ability\nto identify devices, prevent jailbroken or rooted7 devices from connecting, and send a signal to\nwipe information on the device. The IRS told us that it informally tested some key features of\nthe MDM solution, such as its ability to wipe devices.\n\n6\n  Eligible employees were identified by the business and functional divisions and included only non\xe2\x80\x93bargaining unit\nemployees.\n7\n  Jailbreaking a device entails bypassing certain security features built into Apple iOS devices. Jailbreaking allows\nroot access to the operating system and may allow a user to use apps besides those in the Apple App Store. Rooting\nis similar but applies to Android devices.\n                                                                                                             Page 5\n\x0c                       Better Cost-Benefit Analysis and Security Measures\n                        Are Needed for the Bring Your Own Device Pilot\n\n\n\nThe Costs and Benefits of Bring Your Own Device Should Be Fully\nEvaluated\nThe IRS has not completed a full cost-benefit analysis for the BYOD pilot. While the IRS did\nprepare a simple cost analysis that compared the estimated cost of BYOD to the cost of the IRS\xe2\x80\x99s\nexisting BlackBerry and cell phone programs prior to starting the BYOD pilot, the analysis was\nnot updated with complete information on assumptions and costs. Consequently, as the pilot\nexpanded, IRS managers relied on the original assumptions and cost projections in the analysis,\nwhich did not provide a sufficient basis for informed decision making.\nThe White House BYOD Toolkit document states that\nBYOD should be cost effective and that a                     The White House BYOD Toolkit\ncost-benefit analysis is essential. Detailed guidance         document states that BYOD\non preparing a cost-benefit analysis is found in Office    should  be cost effective and that a\n                                                            cost-benefit analysis is essential.\nof Management and Budget Circular A-94, Guidelines\nand Discount Rates for Benefit-Cost Analysis of\nFederal Programs. This circular describes elements of a cost-benefit analysis, including a policy\nrationale for the proposed program, a clear explanation of explicit assumptions and the rationale\nbehind them as well as strengths and weaknesses, an evaluation of multiple alternative means of\nachieving program objectives, and a subsequent verification that anticipated benefits and costs\nwere realized.\nWe found the following examples of inadequate assumptions or cost comparisons in the IRS\xe2\x80\x99s\nBYOD cost-benefit analysis.\n   \xef\x82\xb7   The analysis assumed that all users with IRS-provided phones would willingly choose to\n       participate in BYOD when given a choice between BYOD and a Government-provided\n       device. However, industry and Government reports indicate that only some employees\n       will choose to participate. At another Federal organization, only 23 percent of the\n       employees who had Government-provided devices chose to participate in BYOD when\n       given the opportunity to do so. The IRS recently surveyed some of its employees\n       currently provided a Government phone and, out of 58 respondents, only four indicated\n       that they were willing to give up the Government phone for BYOD if keeping both a\n       Government phone and a BYOD was not an option. Additionally, in the BYOD pilot\n       phase, the IRS obtained 1,000 licenses to distribute throughout the business units but, as\n       of May 2013, only 460 employees had taken advantage of the BYOD opportunity. The\n       IRS used 519 of the 1,000 device licenses due to some employees having multiple\n       devices.\n   \xef\x82\xb7   The analysis did not include continuing to provide and service about\n       190 Government-owned devices that are currently needed for a program that allows\n       priority cell phone access for executives in case of emergency. The BYOD team noted in\n\n                                                                                           Page 6\n\x0c                        Better Cost-Benefit Analysis and Security Measures\n                         Are Needed for the Bring Your Own Device Pilot\n\n\n\n       another document that this program would not be terminated regardless of the BYOD\n       implementation, so the analysis should have included it.\n   \xef\x82\xb7   The analysis overestimated the number of existing phone users and the total costs\n       associated with the existing Government-provided BlackBerry and cell phone programs.\n       The January 2013 IRS analysis was based on 20,000 total phone users, with 5,000 of\n       those being BlackBerry users and the remaining 15,000 being cell phone users.\n       However, when we requested information on the number of actual phone users in\n       February 2013, the IRS told us that there were a total of about 14,800 users\xe2\x80\x94about\n       4,300 BlackBerry users and about 10,500 cell phone users.\nBYOD could provide significant benefits and even potential cost savings; however, these\nbenefits are only conjecture until the IRS conducts a thorough, realistic cost-benefit analysis.\nWhile the White House BYOD Toolkit document states that a cost-benefit analysis of BYOD is\nessential, the IRS\xe2\x80\x99s own guidance does not require a detailed cost-benefit-type analysis for small\ntechnology demonstration projects such as the BYOD pilot; thus, such efforts have been limited.\nThe IRS estimates that it has spent more than $900,000 on its phased mobility efforts, including\nthe BYOD pilot. While some issues existed with its analysis, the IRS estimated that a fully\ndeployed program could cost about $3.9 million to start up and about an additional $2.2 million a\nyear in ongoing costs for up to 20,000 users. This compares favorably to the IRS\xe2\x80\x99s estimate of\nabout $7.6 million in annual costs for 20,000 users in the existing program. Even though the\ncosts for the existing program appear to be overestimated, the IRS can realize some savings if\nparticipation is sufficient and security issues can be resolved. However, if users who are now\nprovided phones as part of their work cannot be convinced to provide their own phones for work\npurposes, BYOD could end up as a costly \xe2\x80\x9cadd-on\xe2\x80\x9d to the existing program.\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should ensure that a cost-benefit\nanalysis, in compliance with Office of Management and Budget Circular A-94, is completed for\nthe existing BYOD pilot if it is continued as well as for any potential expanded BYOD program.\nThe cost-benefit analysis should include realistic assumptions, especially related to participation\nrate. The team preparing the analysis should include employees with a financial background\nwho are experienced in cost-benefit analysis.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       stated that when and if there is executive approval to continue or expand BYOD beyond a\n       technical demonstration, the IRS will institute a cost-benefit analysis in compliance with\n       Office of Management and Budget Circular A-94. The IRS pointed out that the existing\n       BYOD is a technology demonstration and not a pilot.\n\n\n\n                                                                                             Page 7\n\x0c                               Better Cost-Benefit Analysis and Security Measures\n                                Are Needed for the Bring Your Own Device Pilot\n\n\n\n           Office of Audit Comment: We believe that the IRS should implement this\n           recommendation for the existing BYOD program as well as any expanded version,\n           regardless of whether it is called a technology demonstration or a pilot. Mobility efforts\n           leading up to and including BYOD have cost the IRS over $900,000 so far, and the IRS\n           had no estimated end date for the BYOD effort.\n\nIncreased Attention to Security Is Needed\nAlthough the IRS did consider security and made it an important feature in implementing its\nmobility efforts, more should be done to ensure the security of the IRS network. Because the\nBYOD pilot takes place in the production environment, standard security controls should apply.\nThe IRS allows BYOD devices access to resources on the IRS network in addition to providing\ne-mail access, increasing the risk that the privacy and integrity of taxpayer data could be\ncompromised. The IRS also allows devices based on the Android operating system to participate\nin the BYOD pilot even though these devices are more subject to malware than the Apple\ndevices tested in earlier phases. Lastly, audit trails and training also need to be improved.\n\nLimiting access to only e-mail functions could help mitigate risks\nBecause the IRS is unable to fully implement Federal-level and IRS security guidance with\nrespect to BYOD devices, we believe BYOD devices should only be allowed to access e-mail\nfunctions and should not be allowed to access other IRS network resources. This restriction\nwould help limit the attack vector, should a security incident occur. We believe limiting BYOD\nto e-mail functions could have little impact on users, while providing greater security. A small\njudgmental8 sample of BYOD users indicated that six out of seven users only used BYOD to\nread e-mails and not to access any other IRS applications. These results indicate that e-mail is\nthe most valued BYOD function and that other applications add value to only some users or add\nonly marginal benefit. Users could still use their Government-owned laptops to access the full\nrange of network resources when necessary.\nThe IRS stated that users were given access to the IRS network for the BYOD pilot in order to\nevaluate the functionality and usability of mobile devices for business purposes. In terms of\nassessing the risks related to this increased functionality, the IRS stated that the MDM solution\nprovides secure network browsing as part of its base product and that the Cybersecurity\norganization did not assert any unacceptable risk, provided the data were encrypted in motion\nand at rest, which the MDM solution achieves. The IRS further stated that one premise of the\nBYOD pilot is to take some risks and to give users access to what is needed in order to do their\nwork using the MDM interface. The IRS stated that users need complete access to effectively\ntest the MDM solution.\n\n\n8\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                                Page 8\n\x0c                           Better Cost-Benefit Analysis and Security Measures\n                            Are Needed for the Bring Your Own Device Pilot\n\n\n\nTo accomplish multiple security- and privacy-related purposes, the IRS is required to implement\na range of information technology security policies. Federal guidance9 requires enabling use of\nPersonal Identity Verification credentials for controlling access to sensitive Government\ninformation. The IRS has not implemented this control with the BYOD pilot. The Federal\nGovernment is still working on guidance resolving issues related to applying this standard to\nmobile devices. Federal mandates also require a complex password in conjunction with a\nPersonal Identity Verification credential to protect against unauthorized access to Government\napplications and services. ***********************2*******************************\n*********************************2********************************************\n*****************2************************. The IRS currently is unable to enforce this\nrequirement ************2***************** on BYOD devices.\nAccording to information from the U.S. Computer Emergency Readiness Team,10 mobile phone\nsecurity in general has not kept pace with traditional computer security. As smartphones become\nmore popular and powerful, they have become an attractive target for attackers. Standard\ncomputer security measures such as firewalls, antivirus, and encryption are uncommon on\nmobile phones, and mobile phone operating systems are not updated as frequently as possible.\nMobile devices are vulnerable to a range of attacks, including theft, software exploits, and\nphishing. Further, cybercriminals are motivated to find new types of exploits because of the\nvaluable information mobile devices contain. Security researchers at the Georgia Institute of\nTechnology have built a malicious charger that can inject persistent malware into\ncurrent-generation iOS devices without jailbreaking the device. The security researchers stated\nthat more motivated, well-funded adversaries could accomplish much more. The U.S. Computer\nEmergency Readiness Team cautioned that, given enough time, sophistication, and access to the\ndevice, any attacker could obtain information on the device.\nThe IRS commented that even if an attacker were able to gain access to the IRS network using a\nBYOD device, system controls would limit access to only those applications the employee was\nauthorized to access. As such, if the employee did not have access to taxpayer data, the attacker\nwould not have access either. However, if the employee did have access to taxpayer\ninformation, and a sophisticated attacker got access to the device, the attacker could also have\nthat access.\nThe White House BYOD Toolkit document and the IRS\xe2\x80\x99s security policy state that devices must\nbe configured and managed with information assurance controls commensurate with the\nsensitivity of the underlying data. Taxpayer and personal data are extremely sensitive\ninformation and deserve a high level of protection that is more important than providing\nconvenience or modest cost savings. We believe that until the IRS completes a cost-benefit\n\n9\n  Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal\nEmployees and Contractors directs agencywide use of Personal Identity Verification credentials for controlling\naccess to sensitive Government information.\n10\n   Cyber Threats to Mobile Phones, revised February 6, 2013.\n                                                                                                           Page 9\n\x0c                       Better Cost-Benefit Analysis and Security Measures\n                        Are Needed for the Bring Your Own Device Pilot\n\n\n\nanalysis that justifies a business need for a BYOD program, the IRS should limit BYOD access\nto e-mail functions only in order to mitigate risks.\n\nIncluding Android operating system devices in BYOD increases the security risks\nAndroid devices present more serious security risks than Apple devices in the BYOD\nenvironment. Multiple reports have documented increased malware targeted toward mobile\ndevices, particularly toward Android devices. Malware presents serious risks that have not been\nadequately disclosed to management in formal documentation. Android devices are a bigger\ntarget for malware due to an open source operating system, a more lenient approval process for\ninclusion in the regulated app store, multiple third-party unregulated app stores, and lack of\ntimely updates to correct operating system weaknesses.\nIn 2012, malware directed against Android devices increased significantly globally, and attacks\nare expected to increase in the United States as well. Malware may include keylogger or \xe2\x80\x9cspy\xe2\x80\x9d\nsoftware. Keylogging software records keystrokes on the device and can automatically transmit\ndata to a remote computer. Spy-type malware monitors device activity and can deliver Internet\nwebsite addresses and upload data from a removable storage card. With the increase in attacks\nagainst all mobile devices, and Android devices in particular, malware presents a significant\nthreat to device security\nIn August 2012, an IRS executive authorized the BYOD pilot, including Android devices, to\nconduct operations in the production environment, and the IRS began admitting Android devices\ninto the program in May 2013. However, neither the authorization nor the other security\ndocuments referenced in the authorization, including a security technology review and a control\nimpact assessment, discussed the security weaknesses specific to Android devices. The security\ntechnology review in July 2012 stated that the Android devices would be included in the BYOD\npilot and that the IRS has the personnel and expertise to securely implement BYOD. However,\nthe control impact assessment only discussed Apple devices and did not reference Android\ndevices at all. No references were made in these documents to Android device weaknesses\npreviously identified by the Cybersecurity organization, including malware targeting of Android\ndevices. Based on the information discussed in the authorization, we are not convinced that the\nIRS executive had enough information to make an informed decision about the risks involved in\nbringing Android devices into the BYOD pilot.\nIt is unclear if an enterprisewide BYOD program would be either accepted by IRS users or cost\neffective without including Android devices. Nevertheless, the security issues should be\nacknowledged and mitigating controls identified.\n\nAccess audit trails are not retained or reviewed in compliance with IRS policy\nAccording to the NIST, audit trails play an important role in computer security. Audit trails\nmaintain a record of system processes and of user activity. One security purpose is to help\nsystem administrators ensure that the system or resources have not been harmed by hackers,\n                                                                                          Page 10\n\x0c                          Better Cost-Benefit Analysis and Security Measures\n                           Are Needed for the Bring Your Own Device Pilot\n\n\n\ninsiders, or technical problems. Audit trails can provide a means to help accomplish several\nsecurity-related objectives, including individual accountability, reconstruction of events,\nintrusion detection, and problem analysis.\n*********************************************2********************************\n**********.11 **************2*********************************\n************************************2*****************************************\n********************2***************.\nCurrently,*******************************2*************************************\n********************************2*********************************************\n**************************2****************. However, the Cybersecurity organization\nhas developed interim audit trail policy for the BYOD pilot. This interim guidance directs that\n***********************************2******************************************\n***********************************2******************************************\n*****2********. Additionally, because the BYOD operates in the production environment, we\nbelieve it should comply with existing IRS guidance related to audit trails. BYOD accesses\ninvolve hundreds of employees and are taking place in the production environment. The IRS\nshould follow its existing guidance with respect to retaining and reviewing audit trails. If audit\ntrails are not available or are not reviewed, unauthorized accesses may occur and not be detected.\n\nTraining would help inform users about mobile device threats\nThe Government Business Council and other sources recommend providing users with\nawareness training specific to the mobile environment. Office of Management and Budget\nAppendix III to Circular A-130, Security of Federal Automated Information Resources, requires\nthat agencies ensure that users are appropriately trained in how to fulfill their security\nresponsibilities before allowing them access to the system. Appendix III to Circular A-130 also\nstates that periodic refresher training should be required for continued access to the system.\nFurther, the IRS\xe2\x80\x99s Cybersecurity organization has indicated that user training is important to\nenhance security related to mobile computing, and the Office of Privacy, Governmental Liaison,\nand Disclosure has indicated that communications with users about privacy and security issues\nshould occur on a regular basis.\nTo bring its BYOD users up to speed on mobile device security, the IRS requires users to sign an\nonline user agreement form that sets forth BYOD policies and addresses security issues. The\nIRS also provides a website where users can ask questions and see the responses from questions\npreviously asked by other users. However, BYOD participants are not receiving periodic\nrefresher training specific to BYOD threats and recommended security practices. While the IRS\nrequires its employees to take annual computer security awareness training, the training is not\n\n11\n  Internal Revenue Manual 10.8.3, Information Technology Security, Audit Logging Security Standards\n(Sept. 16, 2011).\n                                                                                                      Page 11\n\x0c                             Better Cost-Benefit Analysis and Security Measures\n                              Are Needed for the Bring Your Own Device Pilot\n\n\n\nspecifically targeted toward mobile device security. However, it could be improved to provide\nthe ongoing security training that BYOD participants should receive.\nThe Government Business Council states that lapses in judgment or forgetfulness are\nunavoidable. A Telework Exchange survey12 found that one in three Federal employees who use\ntheir personal smartphone for work do not even have password protection on their phones.\nSmartphone users may be even more susceptible to phishing than regular computer users.\nCurrently, the IRS has no assurance that users are knowledgeable about elevated loss and theft\nrates, how to identify potentially dangerous apps, and other mobile-related device security issues.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 2: Ensure that BYOD users are allowed access only to e-mail functions in\nmost cases and ensure that any users provided additional access to IRS network resources\ndemonstrate a compelling business need for that increased access, especially considering that\nlaptops already have full functionality on the IRS network.\n           Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n           Access to additional IRS resources will use the same MDM secure container solution,\n           ensuring complete isolation of IRS resources from the rest of the personal device, and be\n           provided as business needs for the access are demonstrated.\n           Office of Audit Comment: Although IRS management agreed with this\n           recommendation, they do not plan to implement corrective action until November 2014.\n           We believe that the IRS should implement this recommendation immediately for the\n           existing BYOD participants and limit their BYOD access to e-mail functions only, unless\n           a business need for further access has been demonstrated, in order to mitigate the risk of\n           IRS sensitive data being compromised.\nRecommendation 3: Defer admitting Android devices into a BYOD pilot or program until a\nsecurity risk assessment has been completed that thoroughly addresses the malware and other\nrisks associated with Android devices and the assessment has been reviewed and the risks\naccepted by executive management.\n           Management\xe2\x80\x99s Response: IRS management disagreed with this recommendation.\n           The IRS stated that BYOD is a technology demonstration and the IRS is evaluating\n           various devices through the controlled secured environment of its MDM. IRS executive\n           management reviewed the Cybersecurity Mobile Computing Security Technology\n           Review and issued an authorization to conduct a BYOD technology demonstration which\n           includes Android devices.\n\n12\n     The 2013 Digital Dilemma Report: Mobility, Security, Productivity\xe2\x80\x94Can We Have It All? (Jan. 15, 2013).\n                                                                                                         Page 12\n\x0c                       Better Cost-Benefit Analysis and Security Measures\n                        Are Needed for the Bring Your Own Device Pilot\n\n\n\n       Office of Audit Comment: We acknowledged in the report that both a security\n       technology review and an authorization for BYOD were completed. However, there was\n       no indication that the risks related to Android devices compared to Apple devices were\n       disclosed to the authorizing official. We continue to believe that additional risk\n       information on Android should be provided to IRS executives because neither the\n       Cybersecurity Mobile Computing Security Technology Review nor other documents\n       referenced in the authorization described the malware and other risks related to Android\n       devices.\nRecommendation 4: Ensure that the existing IRS policy related to audit trails is followed,\n**********************************2*******************************************\n**********************************2**************************************.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       MDM has built-in facilities to accumulate an audit log of access attempts, and the IRS\n       believes these built-in capabilities are sufficient while BYOD is a technology\n       demonstration. The IRS will investigate a method with the MDM server to\n       ***************2************. In the event that the technology demonstration is\n       adapted into a production system, all IRS policies regarding audit trails will be applied\n       accordingly per the Enterprise Life Cycle.\n       Office of Audit Comment: The IRS stated that, if it expands the existing BYOD\n       effort, it will investigate how to retain audit trails. We continue to believe that 1) the IRS\n       should retain the audit trails in compliance with existing IRS policy for the current\n       BYOD effort and not wait until the effort is further expanded and 2) the IRS should also\n       review the audit trails daily. These controls should be implemented for the existing\n       BYOD technology demonstration/pilot since there was no specified end date to the effort,\n       and it already operates in the production environment with access to operational IRS\n       systems and live data. At present, hundreds of employees and devices have access to IRS\n       resources through their BYOD devices.\nRecommendation 5: Provide periodic refresher training for BYOD participants that clearly\nexplains the risks associated with personal mobile devices, how these can potentially expose the\nIRS network to unauthorized accesses and malware, the consequences of such breaches, and how\nto prevent or reduce the possibility of causing such a security breach.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation contingent on\n       funding. If the decision is made to continue the existing technology demonstration or\n       expand the program, the IRS will develop security training materials for BYOD\n       participants that clearly explain the additional security threats associated with personal\n       mobile devices and IRS data as well as best practices to mitigate these threats and reduce\n       risks to agency information and resources.\n\n\n                                                                                            Page 13\n\x0c                Better Cost-Benefit Analysis and Security Measures\n                 Are Needed for the Bring Your Own Device Pilot\n\n\n\nOffice of Audit Comment: Although IRS concerns related to funding are\nunderstandable, we continue to believe that all BYOD participants should be provided\nthis information in some form on a regular basis to help mitigate security risks associated\nwith BYOD.\n\n\n\n\n                                                                                   Page 14\n\x0c                       Better Cost-Benefit Analysis and Security Measures\n                        Are Needed for the Bring Your Own Device Pilot\n\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nOur overall objective was to evaluate the IRS\xe2\x80\x99s costs, administration, and security for its BYOD\nefforts. To accomplish this objective, we:\nI.     Determined if the IRS evaluated the costs and benefits of BYOD prior to and based on\n       the results of the pilot and if actual costs and benefits are being adequately captured\n       during the pilot.\n       A. Obtained cost-benefit guidance for Federal projects, such as Office of Management\n          and Budget guidance.\n       B. Obtained cost-benefit analyses that the IRS has conducted related to BYOD and any\n          necessary supporting documents.\n       C. Interviewed IRS officials regarding methodology for the cost-benefit analysis and\n          how ongoing costs and benefits are being captured.\n       D. Assessed if key costs and benefits were adequately accounted for in the IRS\xe2\x80\x99s\n          estimates and in the ongoing pilot.\nII.    Determined if the IRS BYOD program is being effectively administered.\n       A. Interviewed IRS officials regarding how the program is administered.\n       B. Reviewed helpdesk requests related to BYOD and the MDM solution to identify\n          issues that have been reported and how they were resolved.\n       C. Reviewed the inventory of devices and participants for potential issues, such as low\n          participation rates.\n       D. Determined if the IRS infrastructure provides the necessary functionality for BYOD\n          hardware and software and risks of expanding the program.\n       E. Determined if BYOD end user-related policies and procedures are effective and in\n          accordance with Federal guidance and best practices.\nIII.   Determined if IRS BYOD-related policies are sufficient to protect IRS data and if the\n       policies have been effectively implemented in accordance with Federal policy.\n       A. Obtained Governmental guidance and industry best practices related to BYOD\n          (including mobile devices in general) and determined if IRS policies are in\n          compliance with the NIST and other relevant guidance (including password,\n          cryptographic, and Homeland Security Presidential Directive 12 guidance).\n                                                                                          Page 15\n\x0c                            Better Cost-Benefit Analysis and Security Measures\n                             Are Needed for the Bring Your Own Device Pilot\n\n\n\n         B. Determined if access controls and identification and authentication controls are\n            effectively implemented. We selected a small judgmental sample1 of seven IRS\n            employees who were participating in BYOD and were co-located with the audit team\n            and observed MDM operation on the personal devices. In May 2013, there was a\n            total population of 460 BYOD users.\n         C. Determined if data protection controls are effectively implemented including controls\n            related to encryption, passwords, connections, and data flow between BYOD\n            components.\n         D. Determined if configuration management controls are effectively implemented related\n            to system requirements, the MDM solution, device settings, and malware protection.\n         E. Determined if incident response controls are implemented effectively including the\n            ability to detect jailbreaking,2 unauthorized access attempts, or malware; the ability to\n            wipe devices; and the ability to collect and review audit logs.3\n         F. Determined if employees should have access to the IRS intranet through BYOD,\n            considering risks and other factors, and if this can be limited if necessary.\n         G. Determined if the program should be expanded to include Android devices.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: Federal guidance and industry best\npractices related to cost, administration, and security on pilot technology projects and BYOD.\nWe evaluated these controls by reviewing White House guidance on BYOD; Office of\nManagement and Budget Circular A-94 Guidelines and Discount Rates for Benefit-Cost Analysis\nof Federal Programs; Internal Revenue Manual 10.8.3, Information Technology Security, Audit\nLogging Security Standards; and other IRS, NIST, and industry guidance related to mobile\ndevices. We also interviewed IRS Information Technology organization management in the\nCybersecurity, User and Network Services, and Risk Management organizations as well as other\nIRS offices with duties related to BYOD. We interviewed and observed seven IRS employees as\nthey operated their BYOD devices.\n\n1\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n2\n  Jailbreaking a device entails bypassing certain security features built into Apple iOS devices. Jailbreaking allows\nroot access to the operating system and may allow a user to use apps besides those in the Apple App Store. Rooting\nis similar but applies to Android devices.\n3\n  We used criteria for systems categorized as Moderate using criteria in NIST Federal Information Processing\nStandards 199, Standards for Security Categorization of Federal Information and Information Systems (Feb. 2004).\n                                                                                                            Page 16\n\x0c                      Better Cost-Benefit Analysis and Security Measures\n                       Are Needed for the Bring Your Own Device Pilot\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent T. Sagara, Director\nJody Kitazono, Audit Manager\nMary Jankowski, Lead Auditor\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nLarry W. Reimer, Information Technology Specialist\n\n\n\n\n                                                                                     Page 17\n\x0c                     Better Cost-Benefit Analysis and Security Measures\n                      Are Needed for the Bring Your Own Device Pilot\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nDirector, Privacy, Governmental Liaison, and Disclosure OS:P\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Architecture and Implementation OS:CTO:C:AI\nDirector, Financial Management Services OS:CTO:SP:FM\nDirector, Investment Planning and Management OS:CTO:SP:IPM\nDirector, Business Planning and Risk Management OS:CTO:SP:RM\nDirector, Service Planning and Involvement OS:CTO:UNS:SPI\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief Technology Officer OS:CTO\n\n\n\n\n                                                                                  Page 18\n\x0c       Better Cost-Benefit Analysis and Security Measures\n        Are Needed for the Bring Your Own Device Pilot\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 19\n\x0cBetter Cost-Benefit Analysis and Security Measures\n Are Needed for the Bring Your Own Device Pilot\n\n\n\n\n                                                     Page 20\n\x0c                           Better Cost-Benefit Analysis and Security Measures\n                            Are Needed for the Bring Your Own Device Pilot\n\n\n\n                                                                                                       Attachment\n\nDraft Audit Report- Better Cost-Benefit Analysis and Security Measures Are Needed for the Bring Your Own\nDevice Pilot - Audit# 201320008 (e-trak #2013-46364)\n\nCORRECTIVE ACTION MONITORING PLAN: We will enter accepted corrective actions into the Joint Audit\nManagement Enterprise System (JAMES) and monitor them on a monthly basis until completion.\n\nRECOMMENDATION #3: The Chief Technology Officer should defer admitting Android\xc2\xae devices into a\nBYOD pilot or program until a security risk assessment has been completed that thoroughly addresses the malware\nand other risks associated with Android\xc2\xae devices, and the assessment has been reviewed and the risks accepted by\nexecutive management.\n\nCORRECTIVE ACTION #3: The IRS disagrees with this recommendation concerning deferral of Android\xc2\xae\ndevices. This is a technology demonstration and the IRS is evaluating various devices through the controlled\nsecured environment of Good for Enterprise Mobile Device Management (MDM). IRS Executive Management\nreviewed the Cybersecurity Mobile Computing Security Technology Review and issued an Authorization to\nConduct BYOD technology demonstration which includes Android devices.\n\nIMPLEMENTATION DATE: N/A\n\nRESPONSIBLE OFFICIAL: The Associate Chief Information Officer, User and Network Services.\n\nCORRECTIVE ACTION MONITORING PLAN: N/A\n\nRECOMMENDATION #4: The Chief Technology Officer should ensure that the existing IRS policy related to\naudit trails is followed, *******************************2****************************************\n**************************************************2*************************************.\n\nCORRECTIVE ACTION #4: The IRS agrees with this recommendation. The Good Mobile Device Management\nserver has built-in facilities to accumulate an audit log of access attempts, and the IRS believes these built in\ncapabilities are sufficient while BYOD is a technology demonstration. The IRS will investigate a method within the\nGood Mobile Device Management Server****************2******************. In the event that the\ntechnology demonstration is adapted into a production system, then all IRS policy regarding audit trails will be\napplied accordingly per the Enterprise Life Cycle (ELC).\n\nIMPLEMENTATION DATE: February 25, 2015\n\nRESPONSIBLE OFFICIAL: The Associate Chief Information Officer, User and Network Services\n\n\n\n\n                                                        2\n\n\n\n\n                                                                                                         Page 21\n\x0cBetter Cost-Benefit Analysis and Security Measures\n Are Needed for the Bring Your Own Device Pilot\n\n\n\n\n                                                     Page 22\n\x0c'